Tips-Of-Mine/PowerHuntShares
2
0
Fork 0
mirror of https://github.com/NetSPI/PowerHuntShares.git synced 2025-06-30 14:38:42 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update README.md

Browse Source
This commit is contained in:
Scott Sutherland
2022-04-05 20:52:08 -05:00
committed by GitHub
parent eb56df9697
commit f599e2cbe8
1 changed files with 112 additions and 112 deletions
Download Patch File Download Diff File Expand all files Collapse all files

224
README.md
View File

@ -14,121 +14,121 @@ Excessive SMB share ACLs are a systemic problem and an attack surface that all o
# Example Commands # Example Commands
<pre> <pre>
.EXAMPLE 1: Run from a domain computer. Performs Active Directory computer discovery by default. .EXAMPLE 1: Run from a domain computer. Performs Active Directory computer discovery by default.
PS C:\temp\test> Invoke-HuntSMBShares -Threads 100 -OutputDirectory c:\temp\test PS C:\temp\test> Invoke-HuntSMBShares -Threads 100 -OutputDirectory c:\temp\test
.EXAMPLE 2: Run from a domain computer with alternative domain credentials. Performs Active Directory computer discovery by default. .EXAMPLE 2: Run from a domain computer with alternative domain credentials. Performs Active Directory computer discovery by default.
PS C:\temp\test> Invoke-HuntSMBShares -Threads 100 -OutputDirectory c:\temp\test -Credentials domain\user PS C:\temp\test> Invoke-HuntSMBShares -Threads 100 -OutputDirectory c:\temp\test -Credentials domain\user
.EXAMPLE 3: Run from a domain computer as current user. Target hosts in a file. One per line.
PS C:\temp\test> Invoke-HuntSMBShares -Threads 100 -OutputDirectory c:\temp\test -HostList c:\temp\hosts.txt
.EXAMPLE 4: Run from a non-domain computer with credential. Performs Active Directory computer discovery by default.
C:\temp\test> runas /netonly /user:domain\user PowerShell.exe
PS C:\temp\test> Import-Module Invoke-HuntSMBShares.ps1
PS C:\temp\test> Invoke-HuntSMBShares -Threads 100 -RunSpaceTimeOut 10 -OutputDirectory c:\folder\ -DomainController 10.1.1.1 -Credential domain\user
--------------------------------------------------------------- .EXAMPLE 3: Run from a domain computer as current user. Target hosts in a file. One per line.
INVOKE-HUNTSMBSHARES PS C:\temp\test> Invoke-HuntSMBShares -Threads 100 -OutputDirectory c:\temp\test -HostList c:\temp\hosts.txt
---------------------------------------------------------------
This function automates the following tasks:
o Determine current computer's domain
o Enumerate domain computers
o Filter for computers that respond to ping reqeusts
o Filter for computers that have TCP 445 open and accessible
o Enumerate SMB shares
o Enumerate SMB share permissions
o Identify shares with potentially excessive privielges
o Identify shares that provide reads & write access
o Identify shares thare are high risk
o Identify common share owners, names, & directory listings
o Generate last written & last accessed timelines
o Generate html summary report and detailed csv files
Note: This can take hours to run in large environments. .EXAMPLE 4: Run from a non-domain computer with credential. Performs Active Directory computer discovery by default.
--------------------------------------------------------------- C:\temp\test> runas /netonly /user:domain\user PowerShell.exe
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| PS C:\temp\test> Import-Module Invoke-HuntSMBShares.ps1
--------------------------------------------------------------- PS C:\temp\test> Invoke-HuntSMBShares -Threads 100 -RunSpaceTimeOut 10 -OutputDirectory c:\folder\ -DomainController 10.1.1.1 -Credential domain\user
SHARE DISCOVERY
--------------------------------------------------------------- ---------------------------------------------------------------
[*][03/01/2021 09:35] Scan Start INVOKE-HUNTSMBSHARES
[*][03/01/2021 09:35] Output Directory: c:\temp\smbshares\SmbShareHunt-03012021093504 ---------------------------------------------------------------
[*][03/01/2021 09:35] Successful connection to domain controller: dc1.demo.local This function automates the following tasks:
[*][03/01/2021 09:35] Performing LDAP query for computers associated with the demo.local domain
[*][03/01/2021 09:35] - 245 computers found o Determine current computer's domain
[*][03/01/2021 09:35] Pinging 245 computers o Enumerate domain computers
[*][03/01/2021 09:35] - 55 computers responded to ping requests. o Filter for computers that respond to ping reqeusts
[*][03/01/2021 09:35] Checking if TCP Port 445 is open on 55 computers o Filter for computers that have TCP 445 open and accessible
[*][03/01/2021 09:36] - 49 computers have TCP port 445 open. o Enumerate SMB shares
[*][03/01/2021 09:36] Getting a list of SMB shares from 49 computers o Enumerate SMB share permissions
[*][03/01/2021 09:36] - 217 SMB shares were found. o Identify shares with potentially excessive privielges
[*][03/01/2021 09:36] Getting share permissions from 217 SMB shares o Identify shares that provide reads & write access
[*][03/01/2021 09:37] - 374 share permissions were enumerated. o Identify shares thare are high risk
[*][03/01/2021 09:37] Getting directory listings from 33 SMB shares o Identify common share owners, names, & directory listings
[*][03/01/2021 09:37] - Targeting up to 3 nested directory levels o Generate last written & last accessed timelines
[*][03/01/2021 09:37] - 563 files and folders were enumerated. o Generate html summary report and detailed csv files
[*][03/01/2021 09:37] Identifying potentially excessive share permissions
[*][03/01/2021 09:37] - 33 potentially excessive privileges were found across 12 systems.. Note: This can take hours to run in large environments.
[*][03/01/2021 09:37] Scan Complete ---------------------------------------------------------------
--------------------------------------------------------------- |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
SHARE ANALYSIS ---------------------------------------------------------------
--------------------------------------------------------------- SHARE DISCOVERY
[*][03/01/2021 09:37] Analysis Start ---------------------------------------------------------------
[*][03/01/2021 09:37] - 14 shares can be read across 12 systems. [*][03/01/2021 09:35] Scan Start
[*][03/01/2021 09:37] - 1 shares can be written to across 1 systems. [*][03/01/2021 09:35] Output Directory: c:\temp\smbshares\SmbShareHunt-03012021093504
[*][03/01/2021 09:37] - 46 shares are considered non-default across 32 systems. [*][03/01/2021 09:35] Successful connection to domain controller: dc1.demo.local
[*][03/01/2021 09:37] - 0 shares are considered high risk across 0 systems [*][03/01/2021 09:35] Performing LDAP query for computers associated with the demo.local domain
[*][03/01/2021 09:37] - Identified top 5 owners of excessive shares. [*][03/01/2021 09:35] - 245 computers found
[*][03/01/2021 09:37] - Identified top 5 share groups. [*][03/01/2021 09:35] Pinging 245 computers
[*][03/01/2021 09:37] - Identified top 5 share names. [*][03/01/2021 09:35] - 55 computers responded to ping requests.
[*][03/01/2021 09:37] - Identified shares created in last 90 days. [*][03/01/2021 09:35] Checking if TCP Port 445 is open on 55 computers
[*][03/01/2021 09:37] - Identified shares accessed in last 90 days. [*][03/01/2021 09:36] - 49 computers have TCP port 445 open.
[*][03/01/2021 09:37] - Identified shares modified in last 90 days. [*][03/01/2021 09:36] Getting a list of SMB shares from 49 computers
[*][03/01/2021 09:37] Analysis Complete [*][03/01/2021 09:36] - 217 SMB shares were found.
--------------------------------------------------------------- [*][03/01/2021 09:36] Getting share permissions from 217 SMB shares
SHARE REPORT SUMMARY [*][03/01/2021 09:37] - 374 share permissions were enumerated.
--------------------------------------------------------------- [*][03/01/2021 09:37] Getting directory listings from 33 SMB shares
[*][03/01/2021 09:37] Domain: demo.local [*][03/01/2021 09:37] - Targeting up to 3 nested directory levels
[*][03/01/2021 09:37] Start time: 03/01/2021 09:35:04 [*][03/01/2021 09:37] - 563 files and folders were enumerated.
[*][03/01/2021 09:37] End time: 03/01/2021 09:37:27 [*][03/01/2021 09:37] Identifying potentially excessive share permissions
[*][03/01/2021 09:37] Run time: 00:02:23.2759086 [*][03/01/2021 09:37] - 33 potentially excessive privileges were found across 12 systems..
[*][03/01/2021 09:37] [*][03/01/2021 09:37] Scan Complete
[*][03/01/2021 09:37] COMPUTER SUMMARY ---------------------------------------------------------------
[*][03/01/2021 09:37] - 245 domain computers found. SHARE ANALYSIS
[*][03/01/2021 09:37] - 55 (22.45%) domain computers responded to ping. ---------------------------------------------------------------
[*][03/01/2021 09:37] - 49 (20.00%) domain computers had TCP port 445 accessible. [*][03/01/2021 09:37] Analysis Start
[*][03/01/2021 09:37] - 32 (13.06%) domain computers had shares that were non-default. [*][03/01/2021 09:37] - 14 shares can be read across 12 systems.
[*][03/01/2021 09:37] - 12 (4.90%) domain computers had shares with potentially excessive privileges. [*][03/01/2021 09:37] - 1 shares can be written to across 1 systems.
[*][03/01/2021 09:37] - 12 (4.90%) domain computers had shares that allowed READ access. [*][03/01/2021 09:37] - 46 shares are considered non-default across 32 systems.
[*][03/01/2021 09:37] - 1 (0.41%) domain computers had shares that allowed WRITE access. [*][03/01/2021 09:37] - 0 shares are considered high risk across 0 systems
[*][03/01/2021 09:37] - 0 (0.00%) domain computers had shares that are HIGH RISK. [*][03/01/2021 09:37] - Identified top 5 owners of excessive shares.
[*][03/01/2021 09:37] [*][03/01/2021 09:37] - Identified top 5 share groups.
[*][03/01/2021 09:37] SHARE SUMMARY [*][03/01/2021 09:37] - Identified top 5 share names.
[*][03/01/2021 09:37] - 217 shares were found. We expect a minimum of 98 shares [*][03/01/2021 09:37] - Identified shares created in last 90 days.
[*][03/01/2021 09:37] because 49 systems had open ports and there are typically two default shares. [*][03/01/2021 09:37] - Identified shares accessed in last 90 days.
[*][03/01/2021 09:37] - 46 (21.20%) shares across 32 systems were non-default. [*][03/01/2021 09:37] - Identified shares modified in last 90 days.
[*][03/01/2021 09:37] - 14 (6.45%) shares across 12 systems are configured with 33 potentially excessive ACLs. [*][03/01/2021 09:37] Analysis Complete
[*][03/01/2021 09:37] - 14 (6.45%) shares across 12 systems allowed READ access. ---------------------------------------------------------------
[*][03/01/2021 09:37] - 1 (0.46%) shares across 1 systems allowed WRITE access. SHARE REPORT SUMMARY
[*][03/01/2021 09:37] - 0 (0.00%) shares across 0 systems are considered HIGH RISK. ---------------------------------------------------------------
[*][03/01/2021 09:37] [*][03/01/2021 09:37] Domain: demo.local
[*][03/01/2021 09:37] SHARE ACL SUMMARY [*][03/01/2021 09:37] Start time: 03/01/2021 09:35:04
[*][03/01/2021 09:37] - 374 ACLs were found. [*][03/01/2021 09:37] End time: 03/01/2021 09:37:27
[*][03/01/2021 09:37] - 374 (100.00%) ACLs were associated with non-default shares. [*][03/01/2021 09:37] Run time: 00:02:23.2759086
[*][03/01/2021 09:37] - 33 (8.82%) ACLs were found to be potentially excessive. [*][03/01/2021 09:37]
[*][03/01/2021 09:37] - 32 (8.56%) ACLs were found that allowed READ access. [*][03/01/2021 09:37] COMPUTER SUMMARY
[*][03/01/2021 09:37] - 1 (0.27%) ACLs were found that allowed WRITE access. [*][03/01/2021 09:37] - 245 domain computers found.
[*][03/01/2021 09:37] - 0 (0.00%) ACLs were found that are associated with HIGH RISK share names. [*][03/01/2021 09:37] - 55 (22.45%) domain computers responded to ping.
[*][03/01/2021 09:37] [*][03/01/2021 09:37] - 49 (20.00%) domain computers had TCP port 445 accessible.
[*][03/01/2021 09:37] - The 5 most common share names are: [*][03/01/2021 09:37] - 32 (13.06%) domain computers had shares that were non-default.
[*][03/01/2021 09:37] - 9 of 14 (64.29%) discovered shares are associated with the top 5 share names. [*][03/01/2021 09:37] - 12 (4.90%) domain computers had shares with potentially excessive privileges.
[*][03/01/2021 09:37] - 4 backup [*][03/01/2021 09:37] - 12 (4.90%) domain computers had shares that allowed READ access.
[*][03/01/2021 09:37] - 2 ssms [*][03/01/2021 09:37] - 1 (0.41%) domain computers had shares that allowed WRITE access.
[*][03/01/2021 09:37] - 1 test2 [*][03/01/2021 09:37] - 0 (0.00%) domain computers had shares that are HIGH RISK.
[*][03/01/2021 09:37] - 1 test1 [*][03/01/2021 09:37]
[*][03/01/2021 09:37] - 1 users [*][03/01/2021 09:37] SHARE SUMMARY
[*] ----------------------------------------------- [*][03/01/2021 09:37] - 217 shares were found. We expect a minimum of 98 shares
[*][03/01/2021 09:37] because 49 systems had open ports and there are typically two default shares.
[*][03/01/2021 09:37] - 46 (21.20%) shares across 32 systems were non-default.
[*][03/01/2021 09:37] - 14 (6.45%) shares across 12 systems are configured with 33 potentially excessive ACLs.
[*][03/01/2021 09:37] - 14 (6.45%) shares across 12 systems allowed READ access.
[*][03/01/2021 09:37] - 1 (0.46%) shares across 1 systems allowed WRITE access.
[*][03/01/2021 09:37] - 0 (0.00%) shares across 0 systems are considered HIGH RISK.
[*][03/01/2021 09:37]
[*][03/01/2021 09:37] SHARE ACL SUMMARY
[*][03/01/2021 09:37] - 374 ACLs were found.
[*][03/01/2021 09:37] - 374 (100.00%) ACLs were associated with non-default shares.
[*][03/01/2021 09:37] - 33 (8.82%) ACLs were found to be potentially excessive.
[*][03/01/2021 09:37] - 32 (8.56%) ACLs were found that allowed READ access.
[*][03/01/2021 09:37] - 1 (0.27%) ACLs were found that allowed WRITE access.
[*][03/01/2021 09:37] - 0 (0.00%) ACLs were found that are associated with HIGH RISK share names.
[*][03/01/2021 09:37]
[*][03/01/2021 09:37] - The 5 most common share names are:
[*][03/01/2021 09:37] - 9 of 14 (64.29%) discovered shares are associated with the top 5 share names.
[*][03/01/2021 09:37] - 4 backup
[*][03/01/2021 09:37] - 2 ssms
[*][03/01/2021 09:37] - 1 test2
[*][03/01/2021 09:37] - 1 test1
[*][03/01/2021 09:37] - 1 users
[*] -----------------------------------------------
</pre> </pre>